Auditing Quick Start and Compatibility Notes

Auditing Quick Start and Compatibility Notes

The Audit Subsystem for Release 6.0.0 and subsequent releases is a complete replacement for the Audit Subsystem supported on previous releases, with limited compatibility for writing audit records using previously supported interfaces.

Commands and library routines

The following manual pages document the supported auditing interface. See the other sections under Auditing Your System for more information.

Commands

auditcnv(ADM) create default audit mask file

auditlog(ADM) display or set audit log file attributes

auditmap(ADM) create and write audit map files

auditoff(ADM) disable auditing

auditton(ADM) enable auditing

auditrpt(ADM) display recorded information from audit trail

auditset(ADM) select or display audit criteria

Library routines

auditbuf(S) get or set the audit buffer attributes

auditctl(S) get or set the status of auditing

auditdmp(S) write audit record to audit buffer

auditevt(S) get or set auditable events

auditlog(S) get or set audit log file attributes

Commands
auditcnv(ADM)	create default audit mask file
auditlog(ADM)	display or set audit log file attributes
auditmap(ADM)	create and write audit map files
auditoff(ADM)	disable auditing
auditton(ADM)	enable auditing
auditrpt(ADM)	display recorded information from audit trail
auditset(ADM)	select or display audit criteria
Library routines
auditbuf(S)	get or set the audit buffer attributes
auditctl(S)	get or set the status of auditing
auditdmp(S)	write audit record to audit buffer
auditevt(S)	get or set auditable events
auditlog(S)	get or set audit log file attributes

The following files and directories are used by the auditing subsystem:

File

/etc/default/audit System-wide Auditing defaults

/etc/init.d/audit
/etc/rc2.d/S02audit
/etc/rc0.d/K99audit Audit startup/shutdown scripts

/tcb/files/audit/auditmask Per-user audit event masks

/tcb/files/audit/classes Audit event classes

/var/audit/auditmap location of auditmap files

/tcb/bin/ Location of Auditing commands (see table above)

/tcb/bin/auditd Legacy audit daemon

/etc/auth/dlvr_audit Legacy command for writing audit record to /dev/auditw

/dev/auditr Legacy device for reading audit records

/dev/auditw Legacy device for writing audit records

File
/etc/default/audit	System-wide Auditing defaults
/etc/init.d/audit /etc/rc2.d/S02audit /etc/rc0.d/K99audit	Audit startup/shutdown scripts
/tcb/files/audit/auditmask	Per-user audit event masks
/tcb/files/audit/classes	Audit event classes
/var/audit/auditmap	location of auditmap files
/tcb/bin/	Location of Auditing commands (see table above)
/tcb/bin/auditd	Legacy audit daemon
/etc/auth/dlvr_audit	Legacy command for writing audit record to /dev/auditw
/dev/auditr	Legacy device for reading audit records
/dev/auditw	Legacy device for writing audit records

Enabling Auditing

Auditing is installed by default, but not enabled. To enable Auditing, do the following as root:

Edit the file /etc/conf/sdevice.d/audit, and make the following changes:
- Add "$static" to the top of the file,
- Change "N" to "Y" on the driver description line.
Save your changes to the file.

Enter the following commands:

   # /etc/conf/bin/idbuild -B
   # /etc/conf/bin/idcpunix
   # /etc/conf/bin/idmkenv

Reboot the system by running reboot.
Start Auditing by running auditon.

Starting and Stopping the Audit Subsystem

Auditing can be turned on and off using the auditon and auditoff commands.

Auditing can also be started automatically when the system enters multi-user mode by setting the value of the AUDIT_ENABLED parameter in /etc/default/audit to YES. (See also the audit startup script /etc/init.d/audit, which is linked to/etc/rc2.d/S02audit and /etc/rc0.d/K99audit).

Default Audit Event Masks

Audit event masks for individual users are stored in the file /tcb/files/audit/auditmask.

When a new user account is created, if no audit mask is explicitly specified, a default value specified by the AUDIT_MASK parameter in /etc/default/accounts is used; the default is "none". This means that only the system-wide auditable events specified in /etc/default/audit apply to the new user account.

Per-user audit masks are manipulated using the auditMask attribute of the user; it is specified and displayed as a list of strings representing event names. (See auditevents(M) for a list of auditable events.) The auditMask attribute for a user can be specified using the useradd(ADM) and usermod(ADM) commands, and listed using userls(ADM).

For example, the following command:

# usermod -x '{auditMask {fork exec exit kill set_uid set_gid}}' test0

includes the audit events shown in the user's audit mask. The user's audit mask can thereafter be displayed as follows:

# userls -l test0 -x auditMask
test0 {auditMask {exec exit fork kill set_gid set_uid}}

Note that the SCOadmin Account Manager cannot be used to specify, modify, or display user audit masks.

Compatibility Notes

The dlvr_audit command, and the /dev/auditr and /dev/auditw devices, are supported for compatibility with legacy applications that may depend on them.

All of the audit records written to /dev/auditw are audited by specifying a single event called dev_audit, a "fixed" event which is always set in the system audit mask. This means that writes to /dev/auditw will always be audited in the audit log files.

Obsolete commands and library calls

The following legacy auditing commands, as well as the SCOadmin Audit Manager client (scoadmin audit), are no longer supported.

auditcmd(ADM)

auditsh(ADM)

chg_audit(ADM)

reduce(ADM)

The following auditing library calls are obsolete, are supported for legacy applications only, and may be removed in a future release:

authaudit(S)

audit_adjust_mask

audit_auth_entry(S)

audit_close(S)

audit_lax_file(S)

audit_lock(S)

audit_login(S)

audit_no_resource(S)

audit_open(S)

audit_passwd(S)

audit_read(S)

audit_security_failure(S)

audit_subsystem(S)

smp_audit_fail(S)